In many network environments, illegal or unauthorized users may exploit vulnerabilities in the network to gain access, deny access, or otherwise attack systems in the network. As such, to detect and remediate such network vulnerabilities, existing network security systems typically conduct vulnerability analysis in the network through manual inspection or network scans. For example, as discussed in co-pending U.S. patent application Ser. No. 11/016,761, the contents of which are incorporated by reference above, passive and active vulnerability scans may be conducted separately or in combination with one another to identify vulnerabilities in a network. In particular, active vulnerability scanners typically send packets or other messages to various devices in the network that the active vulnerability scanners may be auditing. In many instances, to effectively perform a vulnerability scan, the active vulnerability scanners typically need access to certain information in the audited devices, including a registry that contains settings and configurations associated with operating systems, kernels, device drivers, or other applications that may be running on the audited devices.
As such, because vulnerability scans typically involve an active vulnerability scanner remotely accessing a device that the active vulnerability scanner may be auditing, the active vulnerability scanner must access the registries for such devices remotely. However, improper or malicious manipulation of the information contained in the registry for any particular device in a network can cause many different problems or other vulnerabilities in the device and the network. Thus, many networks disable services that enable remote access to device registries to protect the devices and the network from undesirable, unauthorized, or malicious activity. Furthermore, many operating systems (e.g., Windows Vista™) have default configurations that automatically disable the services that enable remote access to device registries. For example, U.S. Patent Application Pub. No. 2004/0003266, entitled “Non-Invasive Automatic Offsite Patch Fingerprinting and Updating System and Method,” the contents of which are hereby incorporated by reference in their entirety, notes that services that provide registry information to remote computers can present security risks because such services can expose information that can be referenced to facilitate network infiltration or other network attacks.
Accordingly, many existing network systems tend to avoid using services that enable remote access to a device registry due to the security risks that such services can introduce to a network. However, the device registry often contains vital information that may be necessary to perform a complete network audit. For example, as noted above, the device registry can contain information that describes an operating system version, system file locations, or other information that be valuable to identifying vulnerabilities needed to properly and completely audit the network. Therefore, because existing network security systems tend to disable or restrict access to services that can be used to remotely access device registries, existing network security systems often cannot obtain important information from the device registries that may be needed to suitably audit a network. Furthermore, when existing network security systems enable the services provide remote access to the device registries, attackers or other malicious users may exploit the security risks that such services introduce.
Therefore, a need exists for a network security system that can remotely scan device registries during a network audit without exposing the device registries to malicious activity.